EP2628327B1 - Method and system for dynamically establishing encrypted tunnels on constrained-band networks - Google Patents

Method and system for dynamically establishing encrypted tunnels on constrained-band networks Download PDF

Info

Publication number
EP2628327B1
EP2628327B1 EP11769850.6A EP11769850A EP2628327B1 EP 2628327 B1 EP2628327 B1 EP 2628327B1 EP 11769850 A EP11769850 A EP 11769850A EP 2628327 B1 EP2628327 B1 EP 2628327B1
Authority
EP
European Patent Office
Prior art keywords
encrypted
data
encryption
port
router
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP11769850.6A
Other languages
German (de)
French (fr)
Other versions
EP2628327A1 (en
Inventor
Dominique Billonneau
Nicolas Suard
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales SA
Original Assignee
Thales SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thales SA filed Critical Thales SA
Publication of EP2628327A1 publication Critical patent/EP2628327A1/en
Application granted granted Critical
Publication of EP2628327B1 publication Critical patent/EP2628327B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/1851Systems using a satellite or space-based relay
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/18528Satellite systems for providing two-way communications service to a network of fixed stations, i.e. fixed satellite service or very small aperture terminal [VSAT] system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/1853Satellite systems for providing telephony service to a mobile station, i.e. mobile satellite service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/65Network streaming protocols, e.g. real-time transport protocol [RTP] or real-time control protocol [RTCP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/185Space-based or airborne stations; Stations for satellite systems
    • H04B7/18578Satellite systems for providing broadband data service to individual earth stations
    • H04B7/18589Arrangements for controlling an end to end session, i.e. for initialising, synchronising or terminating an end to end link
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/54Store-and-forward switching systems 
    • H04L12/56Packet switching systems
    • H04L12/5601Transfer mode dependent, e.g. ATM
    • H04L2012/5603Access techniques
    • H04L2012/5604Medium of transmission, e.g. fibre, cable, radio
    • H04L2012/5608Satellite

Definitions

  • the object of the invention relates to a method and a system architecture making it possible to dynamically establish one or more encrypted tunnels on constrained band communication networks.
  • it makes it possible to encrypt one or more data streams while guaranteeing the quality of services on constrained band systems, in particular for encrypted streams of voice over IP (internet protocol) or data type or in Anglo-Saxon Data.
  • These tunnels are thus adapted as closely as possible to the flow of useful data while making it possible to control and assign the values necessary for the quality of service or QoS on these networks.
  • the invention is, for example, used in systems implementing satcom satellite links of the type: IP (internet protocol) or voice over IP in BGAN clear mode known to those skilled in the art, or for modes known under the 'Anglo-Saxon abbreviation "SwiftBroadband” and “FleetBroadband”. It also applies to all communication systems referring to the part of the media sharing standard known by the acronym 3GPP.
  • the word “streaming” designates a class of Satcom services guaranteeing guaranteed throughput (mainly used for real-time applications).
  • transceiver is used to designate a transceiver having the particular function of broadcasting an input signal to several outputs.
  • An outgoing call is defined as an outbound call, an incoming call as an inbound call.
  • Communications over constrained band types of networks and, mainly, over satellite generally represent a high cost for the end consumer, and also for the operators.
  • Optimizing the costs of encryption or data security would make access to data protection accessible to a greater number of people while making it possible to have prices accessible to end consumers; costs comparable or even identical to unprotected data.
  • the current encryption solutions known to the Applicant consist, for example, in opening an encrypted tunnel and in passing the traffic that needs to be protected in this tunnel.
  • the current known trend of the Applicant is to open a global tunnel in the Best Effort by disregarding the quality of services, or to open a global tunnel associated with a 128 Kb stream or "streaming" for all communications in hoping that several communications will be established in order to amortize the cost of streaming.
  • FIG. 1 represents a first terminal T 1 , an Edge 1 encryptor and a T 2 terminal with ground encryption 2 with an example of communication route encryption 3, where the flow at 64 Kbits, voice over IP or VoIP is represented 24K, tunnel + encryption header, Best effort, in this example taken from the Inmarsat domain.
  • the document EP1432210 describes a mechanism making it possible to configure a satellite terminal as a function of the streams to be transmitted (QoS, encryption), assuming that these streams arrive unencrypted at the terminal.
  • the data terminals are, for example, terminals of the voice over IP type.
  • the router is configured to apply the TFT rules, the communication system being a satellite system of the BGAN, Swiftbroadband and Fleetbroadband or GPRS type.
  • a communication tunnel can be configured in a template file associating traffic identified by an RTP, UDP port with an Espi value corresponding to an identifier of an encrypted tunnel, interpreted by TFT rules.
  • the first encryption module implements, for example, IPSec encryption.
  • the method is used in particular to dynamically establish tunnels or channels of encrypted communications between two terminals.
  • the method and architecture according to the invention are based in particular on IPSec encryption allowing the opening of an encrypted tunnel by communication and / or by type of traffic.
  • Each tunnel is configured, for example, in a template file which associates identified traffic (eg RTP port, UDP port, etc.) with a "espi" hexadecimal identifier value of an encrypted tunnel interpreted by the TFT rules ensuring a determined path against an identified data flow.
  • identified traffic eg RTP port, UDP port, etc.
  • the data flow coming from the first terminal T 1 is transmitted to an encryptor Edge 1, in this example of implementation, then passes through a router R 1 which has the particular function of directing the data flow to its recipient correctly.
  • the data flow frame generally includes an identifier for the address of the sending source, an identifier for the final destination address for the communication.
  • a communication tunnel is configured in a template file which associates identified traffic (eg RTP port, UDP port, etc.) with a "espi" value corresponding to an identifier of an encrypted tunnel, interpreted by the TFT rules .
  • the data frame will include a tunnel identifier Idt.
  • the onboard encryptor will check the identifier (RTP port, UDP port) of the data stream and encrypt the data of the stream if this identifier corresponds to a value (RTP port, UDP, etc.) which is contained in the IPSec configuration file. .
  • the traffic or data stream F 1C thus encrypted contains a “espi” field positioned according to its identification; then F 1C is assigned to a tunnel address using the router R 1 .
  • the method according to the invention thus makes it possible to encrypt communication by communication flows of VoIP type, and to assign to these flows the appropriate quality of service QoS, both on an outbound call and on a call. Inbound.
  • the method makes it possible to encrypt the flows service by service, and to assign to these encrypted flows, the appropriate quality of service QoS, both on an outbound call and on an inbound call. This has the advantage of significantly reducing the bandwidth consumed and therefore the cost of communications.
  • the method according to the invention also makes it possible to guarantee, despite the significant overhead of the IPSec tunnel, that all VoIP communications will be encrypted and will benefit from a quality of service associated with a 32K stream or streaming, for example.
  • this solution makes it possible to establish, for example and currently 7 simultaneous voice communications (RDP port) per terminal whatever the type of vocoder used by this terminal.
  • the encrypted traffic F 1C is processed at the level of the receiver R 2 which will decrypt the data stream at the level of the encryptor 2 ground according to a method detailed in figures 3 and 4 .
  • the figure 3 shows schematically an example of architecture for the system operating in a terminal direction towards the satellite.
  • T 1 , ..T 7 transmit the data streams to be routed to another recipient via the satellite, to a SIP server 20.
  • the SIP server will transmit the data streams to be encrypted to a router 30 comprising a first encryption module 40 and TFT rules.
  • the encryption module 40 will read the identifier of the RTP or UDP port present in the data frame to be encrypted, then if a reference matches, it will encrypt the data stream with a key corresponding to the RTP or UDP port identified using the correspondence table (IPSec configuration file). To these encrypted data, the encryption module 40 adds in the ESPI field the value which corresponds, in this example, to a hexadecimal value (IPsec identifier as a function of the RTP or UDP port number). This ESPI value is only visible from the outside, the data of the stream is encrypted.
  • the router 30 will then apply the TFT streaming channel allocation rules to transmit the encrypted data stream (s) to a modem 60 comprising for example 2 SIM cards 61, only one being shown in this figure.
  • a SIM card will allow the opening of communication channels or encrypted tunnel.
  • the Satcom modem will then transmit the various encrypted data streams via the various streaming channels to the satellite S.
  • the function of the TFT rules manager is in particular to apply TFT streaming channel allocation rules as a function of the ESPI field of the encrypted data frame (s).
  • the figure 4 shows the reverse direction of data transmission and channel openings from the satellite to the recipients.
  • the DP 71 network represents the partner distributor offering the contract for the delivery of the ground station, Inmarsat satellite, Recipient.
  • the encrypted streams at the output of the distributor service provider 71 are then transmitted to a router 80 comprising an encryption module 81.
  • the encryption module notably comprises a correspondence table between the value contained in the ESPI field of a data stream and a number RTP port.
  • the decryption module will decrypt the data of the encrypted stream using the encryption key corresponding to the RTP or UDP port number.
  • the decrypted data stream will then be transmitted to the SIP server which, depending on the RTP value, will transmit the data stream to the final recipient.
  • the figure 5 represents an example of distribution of the encrypted data streams from a terminal T 1 to a terminal T 2 via the satellite S and the encryption and routing systems described in figures 3 and 4 .
  • IP + UDP + RTP + Payload the bandwidth of the VoIP (IP + UDP + RTP + Payload) must not exceed 16Kbps
  • the one chosen is the G729 whose timing is resequenced at 60ms.
  • the call message is sent to the terminal management SIP server.
  • the message is then transmitted to the encryption module
  • the encryption module encrypts the packet then fills the ESP field with the value defined in the esp field of the tunnel configuration file.
  • An example of an encrypted application is given below.
  • the traffic On receipt of a packet whose ESP field corresponds to a rule (in the example 0x510 Outbound and 0x511 Inbound), the traffic is immediately assigned to a streaming channel if the resource is available.
  • the Edge router receives the ESP packets and transmits them to the encryptor.
  • the packet thus decrypted is then sent to the SIP server for transmission to the destination terminal.
  • RTP traffic is established and then sent to the encryptor.
  • a spy field is assigned to traffic after encryption and then sent to the router for assignment of a TFT rule.
  • a stream identified 0x510 and a stream identified 0x511 transits in the best effort. These flows have a correspondence in the management of TFTs which automatically assigns a STREAM32K channel to this type of flow.
  • the communication is automatically positioned on the type of streaming stream
  • the solution being based on IPSec encryption allows the opening of an encrypted tunnel by communication and / or by type of traffic.
  • the solution makes it possible to encrypt communication by communication of VoIP-type flows, and to assign these flows the appropriate quality of service, both on an outbound call, as well as on an inbound call.
  • the implementation of the present invention makes it possible to encrypt the flows service by service, and to assign to these flows, the appropriate quality of service QoS, both on an outbound call and on an inbound call. This makes it possible to significantly reduce the bandwidth consumed and therefore the cost of communications.
  • the object of the present invention guarantees despite the significant overhead of the IPsec tunnel that all VoIP communications will be encrypted and will benefit from a quality of service associated with 32 K streaming.
  • the solution being based on IPSec encryption allows the opening of an encrypted tunnel by communication and / or by type of traffic.
  • the solution makes it possible to encrypt communication by communication of VoIP-type flows, and to assign these flows the appropriate quality of service, both on an outbound call, as well as on an inbound call.
  • the implementation of the present invention makes it possible to encrypt the flows service by service, and to assign to these flows, the appropriate quality of service QoS, both on an outbound call and on an inbound call. This makes it possible to significantly reduce the bandwidth consumed and therefore the cost of communications.
  • the object of the present invention guarantees despite the significant overhead of the IPsec tunnel that all VoIP communications will be encrypted and will benefit from a quality of service associated with 32 K streaming.

Description

L'objet de l'invention concerne un procédé et une architecture système permettant d'établir de manière dynamique un ou plusieurs tunnels chiffrés sur des réseaux de communication à bande contrainte. Elle permet notamment de chiffrer un ou plusieurs flux de données tout en garantissant la qualité de services sur les systèmes à bande contrainte, en particulier pour les flux chiffrés de type voix sur IP (protocole internet) ou de type données ou en anglo-saxon Data. Ces tunnels sont ainsi adaptés au plus juste aux flux de données utiles tout en permettant de contrôler et d'affecter les valeurs nécessaires à la qualité de service ou QoS sur ces réseaux.The object of the invention relates to a method and a system architecture making it possible to dynamically establish one or more encrypted tunnels on constrained band communication networks. In particular, it makes it possible to encrypt one or more data streams while guaranteeing the quality of services on constrained band systems, in particular for encrypted streams of voice over IP (internet protocol) or data type or in Anglo-Saxon Data. . These tunnels are thus adapted as closely as possible to the flow of useful data while making it possible to control and assign the values necessary for the quality of service or QoS on these networks.

L'invention est, par exemple, utilisée dans des systèmes mettant en œuvre des liaisons satellites satcom de type : IP (protocole internet) ou voix sur IP en mode clair BGAN connu de l'Homme du métier, ou pour des modes connus sous l'abréviation anglo-saxonne « SwiftBroadband » et « FleetBroadband ». Elle s'applique aussi pour tous les systèmes de communication se référant à la partie de la norme de partage de médias connue sous le sigle 3GPP.The invention is, for example, used in systems implementing satcom satellite links of the type: IP (internet protocol) or voice over IP in BGAN clear mode known to those skilled in the art, or for modes known under the 'Anglo-Saxon abbreviation "SwiftBroadband" and "FleetBroadband". It also applies to all communication systems referring to the part of the media sharing standard known by the acronym 3GPP.

DéfinitionsDefinitions

Dans la suite de la discussion, les abréviations suivantes et leurs définitions seront utilisées :

  • PDP : protocole de données paquet ou en anglo-saxon « Packet Data Protocol », un contexte PDP vient de la technologie GPRS connue de l'Homme du métier ; c'est un ensemble d'informations qui caractérise un service de transmission de base ; il regroupe des paramètres qui permettent à un abonné de communiquer avec une adresse PDP bien définie, suivant un profil de Qualité de Service déterminé (délai, priorité, débit, etc..).
  • RTP : protocole temps réel ou en anglo-saxon Real Time Protocol. Protocole sur IP qui permet d'identifier le type de l'information transportée, d'ajouter des marqueurs, des numéros de séquence et de contrôler l'arrivée à destination des paquets.
  • TFT : initiales qui désignent une série de filtres qui assurent un chemin déterminé pour des applications dont le flux est identifié par les filtres TFT abréviation en anglais de « Traffic Flow Template ». Par exemple, la technologie Inmarsat utilise des TFT.
  • VoIP : voix sur IP ou en anglo-saxon Voice on IP.
  • SIP : protocole initialisation de service ou en anglo-saxon « Session Initiation Protocol. » Ce protocole est normalisé et standardisé. Il se charge également de la négociation sur tous les types de média utilisables par les différents participants en encapsulant des messages SDP (Session Description Protocol). SIP ne transporte pas les données échangées durant la session comme la voix ou la vidéo. SIP étant indépendant de la transmission des données, tout type de données et de protocoles peut être utilisé pour cet échange. Cependant, dans la réalité actuelle, le protocole RTP assure le plus souvent les sessions audio et vidéo.
In the remainder of the discussion, the following abbreviations and their definitions will be used:
  • PDP: packet data protocol or in Anglo-Saxon “Packet Data Protocol”, a PDP context comes from the GPRS technology known to those skilled in the art; it is a set of information which characterizes a basic transmission service; it groups together parameters which allow a subscriber to communicate with a well-defined PDP address, according to a determined Quality of Service profile (time limit, priority, speed, etc.).
  • RTP: real time protocol or in Anglo-Saxon Real Time Protocol. Protocol over IP which identifies the type of information transported, to add markers, sequence numbers and to control the arrival at the destination of the packets.
  • TFT: initials which designate a series of filters which provide a determined path for applications whose flow is identified by the TFT filters, abbreviated in English for “Traffic Flow Template”. For example, Inmarsat technology uses TFTs.
  • VoIP: voice over IP or in Anglo-Saxon Voice on IP.
  • SIP: service initialization protocol or in Anglo-Saxon "Session Initiation Protocol. This protocol is standardized and standardized. It is also responsible for negotiating all types of media that can be used by the various participants by encapsulating SDP (Session Description Protocol) messages. SIP does not transport data exchanged during the session such as voice or video. Since SIP is independent of data transmission, any type of data and protocol can be used for this exchange. However, in today's reality, the RTP protocol most often provides audio and video sessions.

Le mot « streaming » désigne une classe de services Satcom garantissant un débit garanti (utilisé principalement pour les applications temps-réel).The word “streaming” designates a class of Satcom services guaranteeing guaranteed throughput (mainly used for real-time applications).

Le mot « transceiver » est utilisé pour désigner un transcepteur ayant notamment pour fonction de diffuser un signal d'entrée vers plusieurs sorties.The word “transceiver” is used to designate a transceiver having the particular function of broadcasting an input signal to several outputs.

Un appel sortant est défini comme un appel Outbound, un appel entrant comme un appel Inbound.An outgoing call is defined as an outbound call, an incoming call as an inbound call.

Les communications sur les types de réseaux à bande contrainte et, principalement, sur un satellite représentent généralement un coût élevé pour le consommateur final, et également pour les opérateurs.Communications over constrained band types of networks and, mainly, over satellite generally represent a high cost for the end consumer, and also for the operators.

De plus en plus, de nombreuses applications montrent le besoin de chiffrement : par exemple pour l'information de maintenance entre un avion et sa base de maintenance, l'aspect privé des communications pour les VIP, pour les communications militaires, etc. Dans tous les cas, la protection des données engendre souvent une hausse des coûts de communication.More and more, many applications show the need for encryption: for example for maintenance information between an aircraft and its maintenance base, the private aspect of communications for VIPs, for military communications, etc. In all cases, the data protection often results in higher communication costs.

Optimiser des coûts de chiffrement ou de sécurisation de données permettrait de rendre accessible à un plus grand nombre de personnes l'accès à la protection des données tout en permettant d'avoir des prix accessibles aux consommateurs finaux ; coûts comparables voire identiques aux données non protégées.Optimizing the costs of encryption or data security would make access to data protection accessible to a greater number of people while making it possible to have prices accessible to end consumers; costs comparable or even identical to unprotected data.

Les solutions de chiffrement actuelles connues du Demandeur consistent, par exemple, à ouvrir un tunnel chiffré et à faire passer le trafic nécessitant d'être protégé dans ce tunnel.The current encryption solutions known to the Applicant consist, for example, in opening an encrypted tunnel and in passing the traffic that needs to be protected in this tunnel.

Dans le cas d'un trafic demandant en plus du chiffrement une qualité de service particulière (flux phonie, vidéo, etc.) il est alors nécessaire d'utiliser une classe de service à bande garantie. Dans les systèmes Bgan, Fleetbroadband, Swiftbroadband ou sur tous les systèmes se référant à la partie de la norme 3GPP, ceci consiste en une ouverture de streaming. Pour passer le tunnel chiffré, le tunnel doit être ouvert en permanence et la totalité du trafic doit passer dans ce tunnel. Cela est particulièrement inadapté à la téléphonie, surtout en termes de coût car il est difficile de maîtriser le début et la fin d'une communication pour ouvrir et fermer le tunnel.In the case of traffic requiring, in addition to encryption, a particular quality of service (voice, video stream, etc.), it is then necessary to use a guaranteed band class of service. In Bgan, Fleetbroadband, Swiftbroadband systems or on all systems referring to the part of the 3GPP standard, this consists of a streaming opening. To pass the encrypted tunnel, the tunnel must be permanently open and all traffic must pass through this tunnel. This is particularly unsuitable for telephony, especially in terms of cost because it is difficult to control the start and end of a call to open and close the tunnel.

La tendance actuelle connue du Demandeur est d'ouvrir un tunnel global dans le Best Effort en faisant abstraction de la qualité de services, ou d'ouvrir un tunnel global associé à un flux ou « streaming » 128 Ko pour l'ensemble des communications en espérant que plusieurs communications soient établies afin d'amortir le coût du streaming.The current known trend of the Applicant is to open a global tunnel in the Best Effort by disregarding the quality of services, or to open a global tunnel associated with a 128 Kb stream or "streaming" for all communications in hoping that several communications will be established in order to amortize the cost of streaming.

Cette tendance est schématisée à la figure 1 qui représente un premier terminal T1, un chiffreur Bord 1 et un terminal T2 avec chiffreur sol 2 avec un exemple de chiffrement d'artère de communication 3, où l'on représente le flux à 64 Kbits, la voix sur IP ou VoIP 24K, le tunnel + l'en-tête de chiffrement, le Best effort, dans cet exemple pris dans le domaine Inmarsat.This trend is shown schematically at figure 1 which represents a first terminal T 1 , an Edge 1 encryptor and a T 2 terminal with ground encryption 2 with an example of communication route encryption 3, where the flow at 64 Kbits, voice over IP or VoIP is represented 24K, tunnel + encryption header, Best effort, in this example taken from the Inmarsat domain.

Le document EP1432210 décrit un mécanisme permettant de configurer un terminal satellite en fonction des flux à transmettre (QoS, chiffrement), en supposant que ces flux arrivent en clair au terminal.The document EP1432210 describes a mechanism making it possible to configure a satellite terminal as a function of the streams to be transmitted (QoS, encryption), assuming that these streams arrive unencrypted at the terminal.

Le document intitulé « BGAN and IP data connections Version 01 » BGAN solutions guide, 8 mai 2006 décrit comment opèrent les connexions dans le réseau BGAN et comment chaque terminal gère les données.The document entitled “BGAN and IP data connections Version 01” BGAN solutions guide, May 8, 2006 describes how connections operate in the BGAN network and how each terminal manages data.

Le document de L DUQUERROY et al, intitulé « SatIPSec ; an optimized solution for securing multicast and unicast satellite transmissions », A collection of the 22nd AIAA International Communications Satellite Systems Conférence and Exhibit Technical Papers, janvier 2004, ISBN 978-7-56-347712-6 , introduit le principe des mécanismes de sécurisation des données pour des transmissions satellite.The document L DUQUERROY et al, entitled “SatIPSec; an optimized solution for securing multicast and unicast satellite transmissions ”, A collection of the 22nd AIAA International Communications Satellite Systems Conference and Exhibit Technical Papers, January 2004, ISBN 978-7-56-347712-6 , introduces the principle of data security mechanisms for satellite transmissions.

L'enseignement technique du document de Lloyd Wood et al, intitulé « IPv6 and IPsec on a satellite in space », Proceedings of the 58th International Astronautical Congress, Hyderabad, India, 24-28 September 2007, 28 septembre 2007 , concerne les deux protocoles IPv6 et IPsec et ne précise pas les possibilités de chiffrement.The technical teaching of the Lloyd Wood et al, titled “IPv6 and IPsec on a satellite in space”, Proceedings of the 58th International Astronautical Congress, Hyderabad, India, 24-28 September 2007, 28 September 2007 , concerns the two protocols IPv6 and IPsec and does not specify the possibilities of encryption.

L'invention concerne un système pour établir de façon dynamique un ou plusieurs tunnels chiffrés pour la transmission de données entre un ensemble d'équipements bord comprenant un ou plusieurs terminaux un serveur SIP, Session Initiation Protocol, et un routeur bord et un second ensemble sol comprenant un routeur sol et des terminaux adaptés à communiquer par des réseaux à bande contrainte de type liaison satellite, ledit réseau utilisant un protocole temps réel. Le système comporte au moins les éléments suivants :

  • Lesdits un ou plusieurs terminaux bord étant configurés pour transmettre un flux de données à acheminer vers un autre destinataire via un satellite S, audit serveur SIP,
  • Ledit serveur SIP étant configuré pour modifier un identifiant du port de protocole temps réel sur ledit flux à chiffrer et pour le transmettre au routeur bord, ledit routeur bord comprenant un premier module de chiffrement et des règles assurant un chemin pour un flux de données identifié,
  • Le premier module de chiffrement bord étant configuré pour lire l'identificateur du port du protocole temps réel présent dans une trame de données à chiffrer, et si ledit identificateur correspond à une valeur donnée contenue dans un fichier de configuration pour chiffrer le flux de données avec une clé correspondant au port identifié,
  • Ledit premier module de chiffrement étant configuré pour ajouter un champ de données d'identification du flux de données chiffrées à la trame de données chiffrées,
  • Le routeur bord est configuré pour appliquer des règles d'affectation de canal streaming pour transmettre le ou les flux de données chiffrées à un modem comprenant un module permettant l'ouverture d'un nombre de tunnels chiffrés égal au nombre de communications ou par type de trafic,
  • Le modem Satcom étant configuré pour transmettre les différents flux de données chiffrées via les différents canaux chiffrés au satellite de communication S,
  • Une station de réception en liaison avec le satellite est configurée pour distribuer les flux de données chiffrées reçues du satellite, vers le module de routage sol comprenant un module de chiffrement-déchiffrement,
  • Ledit module de chiffrement-déchiffrement comprenant une table de correspondance entre la valeur contenue dans le champ identifiant un flux de données chiffrées et un numéro de port du protocole de communications temps réel et la correspondance entre une clé de déchiffrement à utiliser et la valeur du port identifié, ledit module de chiffrement-déchiffrement étant configuré pour déchiffrer les flux de données et transmettre les données déchiffrées vers un ensemble de terminaux destinataire.
The invention relates to a system for dynamically establishing one or more encrypted tunnels for the transmission of data between a set of onboard equipment comprising one or more terminals, a SIP server, Session Initiation Protocol, and an onboard router and a second ground assembly. comprising a ground router and terminals adapted to communicate by constrained band networks of the satellite link type, said network using a real time protocol. The system has at least the following elements:
  • Said one or more on-board terminals being configured to transmit a data stream to be routed to another recipient via a satellite S, to said SIP server,
  • Said SIP server being configured to modify an identifier of the real-time protocol port on said stream to be encrypted and to transmit it at the edge router, said edge router comprising a first encryption module and rules ensuring a path for an identified data flow,
  • The first on-board encryption module being configured to read the identifier of the port of the real-time protocol present in a data frame to be encrypted, and if said identifier corresponds to a given value contained in a configuration file to encrypt the data stream with a key corresponding to the identified port,
  • Said first encryption module being configured to add an identification data field of the encrypted data stream to the encrypted data frame,
  • The on-board router is configured to apply streaming channel assignment rules to transmit the encrypted data stream (s) to a modem comprising a module allowing the opening of a number of encrypted tunnels equal to the number of communications or by type of traffic,
  • The Satcom modem being configured to transmit the different encrypted data streams via the different encrypted channels to the communication satellite S,
  • A reception station linked to the satellite is configured to distribute the encrypted data streams received from the satellite, to the ground routing module comprising an encryption-decryption module,
  • Said encryption-decryption module comprising a correspondence table between the value contained in the field identifying an encrypted data stream and a port number of the real-time communications protocol and the correspondence between a decryption key to be used and the value of the port identified, said encryption-decryption module being configured to decrypt the data streams and transmit the decrypted data to a set of destination terminals.

Les terminaux de données sont, par exemple, des terminaux de type voix sur IP.The data terminals are, for example, terminals of the voice over IP type.

Le routeur est configuré pour appliquer les règles TFT, le système de communication étant un système satellitaire de type BGAN, Swiftbroadband et Fleetbroadband ou GPRS.The router is configured to apply the TFT rules, the communication system being a satellite system of the BGAN, Swiftbroadband and Fleetbroadband or GPRS type.

Un tunnel de communication peut être configuré dans un fichier template associant un trafic identifié par un port RTP, UDP à une valeur Espi correspondant à un identificateur d'un tunnel chiffré, interprété par des règles TFT.A communication tunnel can be configured in a template file associating traffic identified by an RTP, UDP port with an Espi value corresponding to an identifier of an encrypted tunnel, interpreted by TFT rules.

Le premier module de chiffrement met, par exemple, en œuvre un chiffrement IPSec.The first encryption module implements, for example, IPSec encryption.

L'invention concerne aussi un procédé permettant d'établir de manière dynamique des tunnels ou canaux de communications chiffrés entre au moins deux ensembles d'équipements, l'un dit station bord comprenant un serveur SIP, Session Initiation Protocol, un ou plusieurs terminaux et un routeur bord comprenant un module de chiffrement et un second ensemble sol, dit station sol, comprenant un routeur sol comprenant un module de déchiffrement et des terminaux adaptés à communiquer par des réseaux à bande contrainte de type liaison satellite, ledit réseau utilisant un protocole de communication temps réel. Le procédé comporte au moins les étapes suivantes :
Le serveur SIP modifie un identificateur de port du protocole sur les flux de données transmises par les terminaux et les transmet au routeur bord,

  1. 1) générer un fichier de configuration qui comprend pour chaque extrémité d'un tunnel : un identificateur du port du protocole temps réel d'un flux de données à chiffrer, une clé de chiffrement, une valeur d'un identificateur du flux de données chiffrées,
  2. 2) chiffrer un flux de données au moyen du module de chiffrement, ledit module de chiffrement exécute les étapes suivantes :
    • lecture d'un identificateur du port du protocole temps réel présent dans une trame de données à chiffer et si ledit module de chiffrement trouve dans ledit fichier de configuration un élément identifiant correspondant au port identifié, le module de chiffrement chiffre le flux de données avec une clé correspondant au port identifié, le flux ainsi chiffré comprenant un champ identifiant l'adresse de destination, et un identificateur du flux de données chiffrées,
  3. 3) le routeur applique des règles d'affectation de canal streaming pour transmettre I le trafic chiffré à un modem satcom comprenant une première carte adaptées à ouvrir des canaux de communications afin de transmettre les flux chiffrés au satellite S,
  4. 4) le satellite transmet les flux chiffrés à une station sol,
  5. 5) les flux chiffrés sont reçus par le routeur sol et le module de déchiffrement du routeur sol déchiffre le flux de données en utilisant une clé de chiffrement associée audit identificateur du flux de données chiffrées dans le fichier de configuration,
  6. 6) transmettre le flux de données déchiffrées vers le destinataire.
The invention also relates to a method making it possible to dynamically establish encrypted communication channels or tunnels between at least two sets of equipment, one said on-board station comprising a SIP server, Session Initiation Protocol, one or more terminals and an on-board router comprising an encryption module and a second ground assembly, called a ground station, comprising a ground router comprising a decryption module and terminals adapted to communicate by constrained band networks of the satellite link type, said network using a communication protocol real time communication. The method comprises at least the following steps:
The SIP server modifies a port identifier of the protocol on the data flows transmitted by the terminals and transmits them to the on-board router,
  1. 1) generate a configuration file which includes for each end of a tunnel: an identifier of the real-time protocol port of a data stream to be encrypted, an encryption key, a value of an identifier of the encrypted data stream ,
  2. 2) encrypt a data stream by means of the encryption module, said encryption module performs the following steps:
    • reading of an identifier of the real-time protocol port present in a data frame to be encrypted and if said encryption module is found in said configuration file an identifying element corresponding to the identified port, the encryption module encrypts the data stream with a key corresponding to the identified port, the thus encrypted stream comprising a field identifying the destination address, and an identifier of the encrypted data stream ,
  3. 3) the router applies streaming channel assignment rules to transmit I the encrypted traffic to a satcom modem comprising a first card adapted to open communication channels in order to transmit the encrypted streams to the satellite S,
  4. 4) the satellite transmits the encrypted streams to a ground station,
  5. 5) the encrypted streams are received by the ground router and the decryption module of the ground router decrypts the data stream using an encryption key associated with said identifier of the encrypted data stream in the configuration file,
  6. 6) transmit the decrypted data stream to the recipient.

Le procédé est notamment utilisé pour établir de manière dynamique des tunnels ou canaux de communications chiffrées entre deux terminaux.The method is used in particular to dynamically establish tunnels or channels of encrypted communications between two terminals.

D'autres caractéristiques et avantages du dispositif selon l'invention apparaîtront mieux à la lecture de la description qui suit d'un exemple de réalisation donné à titre illustratif et nullement limitatif annexé des figures qui représentent :

  • La figure 1, un exemple de chiffrement d'un tunnel selon l'art antérieur entre un terminal bord T1 et un terminal sol T2,
  • La figure 2, un exemple d'architecture de chiffrement selon l'invention,
  • La figure 3, un exemple de diagramme pour des modules du segment air,
  • La figure 4, un exemple de diagramme pour des modules d'un segment sol, et
  • La figure 5, l'illustration d'une communication Bout en Bout mettant en œuvre le procédé selon l'invention.
Other characteristics and advantages of the device according to the invention will appear better on reading the following description of an exemplary embodiment given by way of illustration and in no way limiting appended to the figures which represent:
  • The figure 1 , an example of encryption of a tunnel according to the prior art between an onboard terminal T 1 and a ground terminal T 2 ,
  • The figure 2 , an example of an encryption architecture according to the invention,
  • The figure 3 , an example of diagram for modules of the air segment,
  • The figure 4 , an example diagram for modules of a ground segment, and
  • The figure 5 , the illustration of an end-to-end communication implementing the method according to the invention.

Afin de mieux faire comprendre l'invention, la description qui va suivre à titre illustratif est donnée pour un système qui utilise le protocole standard SIP précité. Les mécanismes mis en œuvre sont donc transparents pour tout terminal compatible du protocole de communication utilisé.In order to better understand the invention, the description which will follow by way of illustration is given for a system which uses the aforementioned standard SIP protocol. The mechanisms implemented are therefore transparent for any terminal compatible with the communication protocol used.

Le procédé et l'architecture selon l'invention reposent notamment sur le chiffrement IPSec permettant l'ouverture d'un tunnel chiffré par communication et/ou par type de trafic.The method and architecture according to the invention are based in particular on IPSec encryption allowing the opening of an encrypted tunnel by communication and / or by type of traffic.

Chaque tunnel est configuré, par exemple, dans un fichier template qui associe un trafic identifié (ex Port RTP, port UDP, etc.) à une valeur « espi » identificateur hexadécimal d'un tunnel chiffré interprété par les règles TFT assurant un chemin déterminé par rapport à un flux de données identifié.Each tunnel is configured, for example, in a template file which associates identified traffic (eg RTP port, UDP port, etc.) with a "espi" hexadecimal identifier value of an encrypted tunnel interpreted by the TFT rules ensuring a determined path against an identified data flow.

La génération des clés de chiffrement est obtenue à l'aide d'un fichier de configuration IPSec qui comprend pour chaque extrémité de tunnel :

  • Pour le tunnel montant, le trafic identifié, son identificateur espi associé et la clé de chiffrement,
  • Pour le tunnel descendant, le trafic identifié, son identificateur espi associé et la clé de chiffrement.
The generation of the encryption keys is obtained using an IPSec configuration file which includes for each end of the tunnel:
  • For the upstream tunnel, the identified traffic, its associated spy identifier and the encryption key,
  • For the downlink tunnel, the identified traffic, its associated spy identifier and the encryption key.

Le flux de données issu du premier terminal T1 est transmis à un chiffreur Bord 1, dans cet exemple de mise en œuvre, puis passe à travers un routeur R1 qui a notamment pour fonction de diriger correctement le flux de données vers son destinataire. La trame de flux de données comporte généralement un identificateur de l'adresse de la source émettrice, un identificateur pour l'adresse de destination finale pour la communication.The data flow coming from the first terminal T 1 is transmitted to an encryptor Edge 1, in this example of implementation, then passes through a router R 1 which has the particular function of directing the data flow to its recipient correctly. The data flow frame generally includes an identifier for the address of the sending source, an identifier for the final destination address for the communication.

Un tunnel de communication est configuré dans un ficher template qui associe un trafic identifié (ex port RTP, port UDP, etc....) à une valeur « espi » correspondant à un identificateur d'un tunnel chiffré, interprété par les règles TFT. La trame de données comprendra un identificateur tunnel Idt.A communication tunnel is configured in a template file which associates identified traffic (eg RTP port, UDP port, etc.) with a "espi" value corresponding to an identifier of an encrypted tunnel, interpreted by the TFT rules . The data frame will include a tunnel identifier Idt.

Le chiffreur bord va vérifier l'identificateur (port RTP, port UDP) du flux de données et chiffrer les données du flux si cet identificateur correspond à une valeur (port RTP, UDP, etc.) qui est contenue dans le fichier de configuration IPSec.The onboard encryptor will check the identifier (RTP port, UDP port) of the data stream and encrypt the data of the stream if this identifier corresponds to a value (RTP port, UDP, etc.) which is contained in the IPSec configuration file. .

Le trafic ou flux de données F1C ainsi chiffré contient un champ « espi » positionné en fonction de son identification ; puis F1C est affecté à une adresse de tunnel grâce au routeur R1.The traffic or data stream F 1C thus encrypted contains a “espi” field positioned according to its identification; then F 1C is assigned to a tunnel address using the router R 1 .

Dans le cas de la téléphonie, le procédé selon l'invention permet ainsi de chiffrer communication par communication des flux de type VoIP, et d'affecter à ces flux la qualité de service QoS adéquate, aussi bien sur un appel Outbound que sur un appel Inbound.In the case of telephony, the method according to the invention thus makes it possible to encrypt communication by communication flows of VoIP type, and to assign to these flows the appropriate quality of service QoS, both on an outbound call and on a call. Inbound.

Pour les données ou data, le procédé permet de chiffrer les flux service par service, et d'affecter à ces flux chiffrés, la qualité de service adéquate QoS, aussi bien sur un appel Outbound que sur un appel Inbound. Ceci présente l'avantage de réduire de manière significative la bande passante consommée et donc le coût des communications.For data or data, the method makes it possible to encrypt the flows service by service, and to assign to these encrypted flows, the appropriate quality of service QoS, both on an outbound call and on an inbound call. This has the advantage of significantly reducing the bandwidth consumed and therefore the cost of communications.

Le procédé selon l'invention permet aussi de garantir malgré l'overhead important du tunnel IPSec que toutes les communications VoIP seront chiffrées et bénéficieront d'une qualité de service associée à un flux ou streaming 32K, par exemple. Ainsi, cette solution permet d'établir, par exemple et actuellement 7 communications voix (port RDP) simultanées par terminal quelque soit le type de vocodeur utilisé par ce terminalThe method according to the invention also makes it possible to guarantee, despite the significant overhead of the IPSec tunnel, that all VoIP communications will be encrypted and will benefit from a quality of service associated with a 32K stream or streaming, for example. Thus, this solution makes it possible to establish, for example and currently 7 simultaneous voice communications (RDP port) per terminal whatever the type of vocoder used by this terminal.

Après traversée du canal de communication 3, le trafic chiffré F1C est traité au niveau du récepteur R2 qui va déchiffrer le flux de données au niveau du chiffreur 2 sol selon un procédé détaillé aux figures 3 et 4.After crossing the communication channel 3, the encrypted traffic F 1C is processed at the level of the receiver R 2 which will decrypt the data stream at the level of the encryptor 2 ground according to a method detailed in figures 3 and 4 .

La figure 3 schématise un exemple d'architecture pour le système fonctionnant dans un sens terminal vers le satellite.The figure 3 shows schematically an example of architecture for the system operating in a terminal direction towards the satellite.

Sur cette figure, plusieurs terminaux 10 désignés T1, ..T7 transmettent les flux de données à acheminer vers un autre destinataire via le satellite, à un serveur SIP 20.In this figure, several terminals 10 designated T 1 , ..T 7 transmit the data streams to be routed to another recipient via the satellite, to a SIP server 20.

Le serveur SIP 20 est notamment adapté à :

  • Intercepter les messages de signalisation SIP,
  • Modifier les numéros de ports RTP,
  • Intercepter et contrôler le flux RTP entre les terminaux,
  • Adapter le vocodeur à la contrainte de la bande passante chiffrée,
  • Charger de contrôler le nombre de communications pouvant être établies dans le sens entrant ou sortant sur le segment satellitaire,
  • Affecter les communications sur les « trunk » disponibles,
  • Contrôler et interdire la possibilité d'appel émis simultanément par l'avion ou le Bord et le sol.
The SIP server 20 is particularly suitable for:
  • Intercept SIP signaling messages,
  • Modify the RTP port numbers,
  • Intercept and control the RTP flow between terminals,
  • Adapt the vocoder to the constraint of the encrypted bandwidth,
  • Responsible for controlling the number of communications that can be established in the incoming or outgoing direction on the satellite segment,
  • Assign communications on the available trunk,
  • Check and prohibit the possibility of a call emitted simultaneously by the airplane or the Edge and the ground.

Le serveur SIP va transmettre les flux de données à chiffrer à un routeur 30 comprenant un premier module de chiffrement 40 et des règles TFT.The SIP server will transmit the data streams to be encrypted to a router 30 comprising a first encryption module 40 and TFT rules.

Le module de chiffrement 40 va lire l'identifiant du port RTP ou UDP présent dans la trame de données à chiffrer, puis si une référence correspond, il va chiffrer le flux de données avec une clé correspondant au port RTP ou UDP identifié en utilisant le tableau de correspondance (fichier de configuration IPSec). A ces données chiffrées, le module de chiffrement 40 ajoute dans le champ ESPI la valeur qui correspond, dans cet exemple, à une valeur hexadécimale (identificateur IPsec en fonction du numéro de port RTP ou UDP). Cette valeur ESPI est seule visible de l'Extérieur, les données du flux sont chiffrées.The encryption module 40 will read the identifier of the RTP or UDP port present in the data frame to be encrypted, then if a reference matches, it will encrypt the data stream with a key corresponding to the RTP or UDP port identified using the correspondence table (IPSec configuration file). To these encrypted data, the encryption module 40 adds in the ESPI field the value which corresponds, in this example, to a hexadecimal value (IPsec identifier as a function of the RTP or UDP port number). This ESPI value is only visible from the outside, the data of the stream is encrypted.

Le module de chiffrement a notamment les fonctions suivantes :

  • Affecter un identificateur IPsec en fonction du N° de port RTP ou UDP ou autre,
  • Etablir un canal chiffré par communications VoIP ou par type de transmission de données.
The encryption module has the following functions in particular:
  • Assign an IPsec identifier according to the RTP or UDP port number or other,
  • Establish an encrypted channel by VoIP communications or by type of data transmission.

Le routeur 30 va ensuite appliquer les règles TFT d'affectation de canal streaming pour transmettre le ou les flux de données chiffrées à un modem 60 comprenant par exemple 2 cartes SIM 61, une seule étant représentée sur cette figure. Une carte SIM va permettre l'ouverture de canaux de communication ou tunnel chiffré. Le modem Satcom va ensuite transmettre les différents flux de données chiffrés via les différents canaux streaming au satellite S.The router 30 will then apply the TFT streaming channel allocation rules to transmit the encrypted data stream (s) to a modem 60 comprising for example 2 SIM cards 61, only one being shown in this figure. A SIM card will allow the opening of communication channels or encrypted tunnel. The Satcom modem will then transmit the various encrypted data streams via the various streaming channels to the satellite S.

Le gestionnaire des règles TFT a notamment pour fonction d'appliquer des règles TFT d'affectation de canal streaming en fonction du champ ESPI du ou des trames de données chiffrées.The function of the TFT rules manager is in particular to apply TFT streaming channel allocation rules as a function of the ESPI field of the encrypted data frame (s).

La figure 4 schématise le sens inverse de transmission des données et des ouvertures de canaux du satellite vers les destinataires.The figure 4 shows the reverse direction of data transmission and channel openings from the satellite to the recipients.

Le satellite S ayant reçu les flux chiffrés à transmettre vers des destinataires, les transmet à une station terre 70 par exemple. Le réseau DP 71 représente la distributaire partenaire offrant le contrat d'acheminement de la station-terre, satellite Inmarsat, Destinataire.The satellite S having received the encrypted streams to be transmitted to recipients, transmits them to a ground station 70 for example. The DP 71 network represents the partner distributor offering the contract for the delivery of the ground station, Inmarsat satellite, Recipient.

Les flux chiffrés en sortie du prestataire distributeur 71 sont ensuite transmis vers un routeur 80 comprenant un module de chiffrement 81. Le module de chiffrement comprend notamment une table de correspondance entre la valeur contenue dans le champ ESPI d'un flux de données et un numéro de port RTP. Le module de déchiffrement va déchiffrer les données du flux chiffré en utilisant la clé de chiffrement correspondant au N° de port RTP ou UDP.The encrypted streams at the output of the distributor service provider 71 are then transmitted to a router 80 comprising an encryption module 81. The encryption module notably comprises a correspondence table between the value contained in the ESPI field of a data stream and a number RTP port. The decryption module will decrypt the data of the encrypted stream using the encryption key corresponding to the RTP or UDP port number.

Le flux de données déchiffrées va ensuite être transmis au serveur SIP qui en fonction de la valeur RTP va transmettre le flux de données au destinataire final.The decrypted data stream will then be transmitted to the SIP server which, depending on the RTP value, will transmit the data stream to the final recipient.

La figure 5 représente un exemple de distribution des flux de données chiffrées à partir d'un terminal T1 vers un terminal T2 via le satellite S et les systèmes de chiffrement et de routage décrits aux figures 3 et 4.The figure 5 represents an example of distribution of the encrypted data streams from a terminal T 1 to a terminal T 2 via the satellite S and the encryption and routing systems described in figures 3 and 4 .

Un exemple de mise en œuvre est donnée pour mieux décrire le fonctionnement simplifié du système selon l'invention lors d'un appel Outbound et Inbound pour des flux VoIP chiffrés.An example of implementation is given to better describe the simplified operation of the system according to the invention during an outbound and inbound call for encrypted VoIP flows.

Gestion de la bande passanteBandwidth management

L'overhead IPSec étant très important, il est absolument nécessaire d'avoir la maitrise sur le type de codeur négocié et sur le cadencement des paquets.Since the IPSec overhead is very important, it is absolutely necessary to have control over the type of encoder negotiated and the timing of the packets.

Pour pouvoir tenir une communication VoIP dans un canal 32K avec chiffrement, la bande passante de la VoIP (IP+UDP+RTP+Payload) ne doit pas depasser 16KbpsTo be able to hold a VoIP communication in a 32K channel with encryption, the bandwidth of the VoIP (IP + UDP + RTP + Payload) must not exceed 16Kbps

Cela necessite d'utiliser un vocodeur bas débit et de bonne qualité. Dans notre exemple, celui choisi et le G729 dont le cadencement est resequencé à 60ms.This requires the use of a low bit rate and good quality vocoder. In our example, the one chosen is the G729 whose timing is resequenced at 60ms.

Appel OutboundOutbound call

Lors de l'émission d'un appel par un terminal VoIP Oubound, le message d'appel est envoyé au serveur SIP de gestion du terminal.When a call is made by an Oubound VoIP terminal, the call message is sent to the terminal management SIP server.

Le serveur SIP répond au terminal appelant par un 100 Trying puis

  • modifie le port RTP annoncé par le terminal appelant
  • vérifie les vocodeurs
  • adapte le vocodage
  • recadence les paquets
The SIP server answers the calling terminal with a 100 Trying then
  • modifies the RTP port announced by the calling terminal
  • check vocoders
  • adapts vocoding
  • recadence packages

Le message est ensuite transmis au module de chiffrementThe message is then transmitted to the encryption module

Module de chiffrementEncryption module

Lorsqu'un paquet lui parvient, le module de chiffrement chiffre le paquet puis renseigne le champ ESP par la valeur définie dans le champ esp du fichier de configuration de tunnels. Un exemple d'application chiffrée est donné ci-après.When a packet reaches it, the encryption module encrypts the packet then fills the ESP field with the value defined in the esp field of the tunnel configuration file. An example of an encrypted application is given below.

Ex: add "Adresse tunnel1 bord'."Adresse tunnel1 sol" esp 0x510

  • m tunnel
  • E rijndael-cbc0x0838fe4d67ef6bd0745df33d684e4ed0137ca7e3e539a0827a5e185ac9 b1b6dc
  • A hmac-sha256
    • 0x3bd2851baf6d7e5f5197a8305ab81560bc78738b62f69a13b2a7754152b57 b24;
    • spdadd "Adresse serveur SIP Bord"[30200] "Adresse Serveur SIP Sol"[30200] any -P in ipsec
    • esp/tunnel/"Adresse tunnel1 bord"-"Adresse tunnel1 sol"/require; add "."Adresse tunnel1 sol" "Adresse tunnel1 Bord"[esp 0x511
  • m tunnel
  • E rijndael-cbc
    0x44cec91db77812fc014efe4474918206817bad7466a322745c21e5ca978fc 60d
  • A hmac-sha256
    • 0x46893ee4b29ab63709a8184be4f678fd14c8b392cf1881be716764020c631 c13;
    • spdadd "Adresse Serveur SIP Sol" [30200] "Adresse serveur SIP Bord" [30200] any -P out ipsec
    • esp/tunnel/"Adresse tunnel1 sol"-"Adresse tunnel1 bord'/require;
Ex: add "Tunnel1 address on board '." Tunnel1 address on the ground " esp 0x510
  • m tunnel
  • E rijndael-cbc0x0838fe4d67ef6bd0745df33d684e4ed0137ca7e3e539a0827a5e185ac9 b1b6dc
  • To hmac-sha256
    • 0x3bd2851baf6d7e5f5197a8305ab81560bc78738b62f69a13b2a7754152b57 b24;
    • spdadd "SIP Edge Server Address" [30200] "SIP Ground Server Address" [30200] any -P in ipsec
    • esp / tunnel / "Tunnel1 edge address" - "Ground tunnel1 address" / require; add "." Tunnel1 ground address "" Tunnel1 edge address " [esp 0x511
  • m tunnel
  • E rijndael-cbc
    0x44cec91db77812fc014efe4474918206817bad7466a322745c21e5ca978fc 60d
  • To hmac-sha256
    • 0x46893ee4b29ab63709a8184be4f678fd14c8b392cf1881be716764020c631 c13;
    • spdadd "Ground SIP Server Address" [30200] " Onboard SIP Server Address" [30200] any -P out ipsec
    • esp / tunnel / "Tunnel1 ground address" - "Tunnel1 edge address' / require;

Sur réception d'un paquet dont le champ ESP correspond à une règle (dans l'exemple 0x510 Outbound et 0x511 Inbound), le trafic est immédiatement affecté à un canal streaming si la ressource est disponible.On receipt of a packet whose ESP field corresponds to a rule (in the example 0x510 Outbound and 0x511 Inbound), the traffic is immediately assigned to a streaming channel if the resource is available.

Appel InboundInbound call

La signalisation montante est effectuée dans le Best effort. Le routeur Bord recoit les paquets ESP et les transmet au chiffreur. Le paquet ainsi déchiffré est ensuite envoyé au serveur SIP pour tramsmission au terminal destinataire.Up-signaling is done with the best effort. The Edge router receives the ESP packets and transmits them to the encryptor. The packet thus decrypted is then sent to the SIP server for transmission to the destination terminal.

Au décroché du terminal du bord, le trafic RTP est établi puis envoyé au chiffreur.When the on-board terminal is picked up, RTP traffic is established and then sent to the encryptor.

En fonction de la configuration du fichier, un champ espi est affecté au traffic après chiffrement puis envoyé au routeur pour affectation d'une règle TFT.Depending on the file configuration, a spy field is assigned to traffic after encryption and then sent to the router for assignment of a TFT rule.

Un flux identifié 0x510 et un flux identifié 0x511 transite dans le best effort. Ces flux ont une correspondance dans la gestion des TFT qui affecte automatiquement un canal STREAM32K à ce type de flux.A stream identified 0x510 and a stream identified 0x511 transits in the best effort. These flows have a correspondence in the management of TFTs which automatically assigns a STREAM32K channel to this type of flow.

La communication est automatiquement positionnée sur le type de flux streamingThe communication is automatically positioned on the type of streaming stream

Le procédé et l'architecture système selon l'invention présentent notamment les avantages suivants :
Pour un flux entrant ou sortant, la solution permet :

  • de mettre en œuvre la ressource adéquate en QoS et consommation de débit,
  • de faire bénéficier le flux d'une bande passante garantie sur le segment contraint,
  • de permettre la sélection des flux à chiffrer, certains pouvant ainsi rester en clair.
The method and the system architecture according to the invention in particular have the following advantages:
For an incoming or outgoing flow, the solution allows:
  • to implement the adequate resource in QoS and speed consumption,
  • to allow the flow to benefit from guaranteed bandwidth on the constrained segment,
  • to allow the selection of flows to be encrypted, some of which can thus remain in the clear.

La solution étant basée sur du chiffrement IPSec permet l'ouverture d'un tunnel chiffré par communication et/ou par type de trafic.The solution being based on IPSec encryption allows the opening of an encrypted tunnel by communication and / or by type of traffic.

Pour la téléphonie, la solution permet de chiffrer communication par communication des flux de type VoIP, et d'affecter à ces flux la qualité de service adéquate, aussi bien sur un appel Outbound, que sur un appel Inbound.For telephony, the solution makes it possible to encrypt communication by communication of VoIP-type flows, and to assign these flows the appropriate quality of service, both on an outbound call, as well as on an inbound call.

Pour la donnée ou Data, la mise en œuvre de la présente invention permet de chiffrer les flux services par services, et d'affecter à ces flux, la qualité de service QoS adéquate, aussi bien sur un appel Outbound que sur un appel Inbound. Cela permet de réduire de manière significative la bande passante consommée et donc le coût des communications.For data or Data, the implementation of the present invention makes it possible to encrypt the flows service by service, and to assign to these flows, the appropriate quality of service QoS, both on an outbound call and on an inbound call. This makes it possible to significantly reduce the bandwidth consumed and therefore the cost of communications.

L'objet de la présente invention garantit malgré l'overhead important du tunnel IPsec que toutes les communications VoIP seront chiffrées et bénéficieront d'une qualité de services associée à un streaming 32 K.The object of the present invention guarantees despite the significant overhead of the IPsec tunnel that all VoIP communications will be encrypted and will benefit from a quality of service associated with 32 K streaming.

Le procédé et l'architecture système selon l'invention présentent notamment les avantages suivants :
Pour un flux entrant ou sortant, la solution permet :

  • de mettre en œuvre la ressource adéquate en QoS et consommation de débit,
  • de faire bénéficier le flux d'une bande passante garantie sur le segment contraint,
  • de permettre la sélection des flux à chiffrer, certains pouvant ainsi rester en clair.
The method and the system architecture according to the invention in particular have the following advantages:
For an incoming or outgoing flow, the solution allows:
  • to implement the adequate resource in QoS and speed consumption,
  • to allow the flow to benefit from guaranteed bandwidth on the constrained segment,
  • to allow the selection of flows to be encrypted, some of which can thus remain in the clear.

La solution étant basée sur du chiffrement IPSec permet l'ouverture d'un tunnel chiffré par communication et/ou par type de trafic.The solution being based on IPSec encryption allows the opening of an encrypted tunnel by communication and / or by type of traffic.

Pour la téléphonie, la solution permet de chiffrer communication par communication des flux de type VoIP, et d'affecter à ces flux la qualité de service adéquate, aussi bien sur un appel Outbound, que sur un appel Inbound.For telephony, the solution makes it possible to encrypt communication by communication of VoIP-type flows, and to assign these flows the appropriate quality of service, both on an outbound call, as well as on an inbound call.

Pour la donnée ou Data, la mise en œuvre de la présente invention permet de chiffrer les flux services par services, et d'affecter à ces flux, la qualité de service QoS adéquate, aussi bien sur un appel Outbound que sur un appel Inbound. Cela permet de réduire de manière significative la bande passante consommée et donc le coût des communications.For data or Data, the implementation of the present invention makes it possible to encrypt the flows service by service, and to assign to these flows, the appropriate quality of service QoS, both on an outbound call and on an inbound call. This makes it possible to significantly reduce the bandwidth consumed and therefore the cost of communications.

L'objet de la présente invention garantit malgré l'overhead important du tunnel IPsec que toutes les communications VoIP seront chiffrées et bénéficieront d'une qualité de services associée à un streaming 32 K.The object of the present invention guarantees despite the significant overhead of the IPsec tunnel that all VoIP communications will be encrypted and will benefit from a quality of service associated with 32 K streaming.

Claims (7)

  1. System for dynamically establishing one or more encrypted tunnels for the transmission of data between a set of on-board equipment comprising one or more terminals (10), a SIP server, Session Initiation Protocol, (20), and an onboard router (30) and a second ground assembly comprising a ground router (80) and terminals (100) adapted to communicate by constrained band networks of the satellite link type, said network using a real time communication protocol, said system comprising at least the following:
    • said one or more terminals (10) on board being configured to transmit a data stream to be routed to another recipient via a satellite S, to said SIP server (20),
    • said SIP server (20) being configured to modify an identifier of the port of the real-time protocol on said stream to be encrypted and to transmit it to the router (30), said onboard router (30) comprising a first encryption module (40) and rules ensuring a path for an identified data flow,
    • the first onboard encryption module (40) being configured to read the identifier of the real-time protocol port present in a data frame to be encrypted, and if said identifier corresponds to a given value contained in a configuration file, to encrypt the data flow with a key corresponding to the identified port,
    • said first encryption module (40) being configured to add an identification data field of the encrypted data stream to the encrypted data frame,
    • the onboard router (30) being configured to apply streaming channel assignment rules to transmit the encrypted data stream(s) to a Satcom modem (60) comprising a module allowing the opening of a number of encrypted tunnels equal to the number of communications or by type of traffic,
    • the Satcom modem being configured to transmit the different encrypted data streams via the different encrypted channels to the communication satellite S,
    • a reception station (70) linked to the satellite is configured to distribute the encrypted data streams received from the satellite to the ground routing module (80) comprising an encryption-decryption module (81),
    • said encryption-decryption module (81) comprising a table (82) of correspondence between the value contained in the field identifying an encrypted data stream and a port number of the real-time communications protocol and the correspondence between a decryption key to be used and the value of the port identified, said encryption-decryption module (81) being configured to decrypt the data streams and transmit the decrypted data to a set of destination terminals.
  2. System according to claim 1 characterized in that the data terminals are voice over IP type terminals.
  3. System according to claim 1 characterized in that the router (30) is configured to apply the TFT rules, the communication system being a satellite system of the BGAN, Swiftbroadband and Fleetbroadband or GPRS type.
  4. System according to claim 1, characterized in that a communication tunnel is configured in a template file associating traffic identified by an RTP port, UDP having a value Espi corresponding to an identifier of an encrypted tunnel, interpreted by rules TFT.
  5. System according to claim 1 characterized in that the first encryption module implements IPSec encryption.
  6. Method for dynamically establishing encrypted communication tunnels or channels between at least two sets of equipment, one said on-board station comprising a SIP server, Session Initiation Protocol, (20), one or more terminals (10) and an onboard router (30) comprising an encryption module (40), and a second ground assembly, called a ground station, comprising a ground router (80) comprising a decryption module (81) and terminals adapted for communicating by constrained band networks of the satellite link type, said network using a real-time communication protocol, said method comprising at least the following steps:
    the SIP server (20) modifies a port identifier of the protocol on the data flows transmitted by the terminals (10) and transmits them to the onboard router (30),
    1) generate a configuration file which comprises for each end of a tunnel: an identifier of the port of the real time protocol of a data stream to be encrypted, an encryption key, a value of an identifier of the encrypted data stream ,
    2) encrypt a data stream by means of the encryption module (40), the encryption module executing the following steps:
    reading of an identifier of the port of the real-time protocol present in a data frame to be encrypted and if said encryption module finds in said configuration file an identifying element corresponding to the identified port, the encryption module encrypts the data stream with a key corresponding to the identified port, wherein the thus encrypted flow comprises a field identifying the destination address and an identifier of the encrypted data flow,
    3) the router (30) applies streaming channel allocation rules to transmit the encrypted traffic to a Satcom modem (60) comprising a first card (61) adapted to open communication channels in order to transmit the encrypted flows to the satellite S,
    4) the satellite S transmits the encrypted streams to a ground station (70),
    5) the encrypted streams are received by the ground router (80) and the decryption module of the ground router (81) decrypts the data stream using an encryption key associated with said identifier of the encrypted data stream in the configuration file,
    6) transmit the decrypted data stream to the recipient.
  7. Method according to claim 6 characterized in that the establishment of dynamic way tunnels or encrypted communication channels between two terminals is accomplished.
EP11769850.6A 2010-10-12 2011-10-10 Method and system for dynamically establishing encrypted tunnels on constrained-band networks Active EP2628327B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1004015A FR2965995B1 (en) 2010-10-12 2010-10-12 METHOD AND SYSTEM FOR DYNAMICALLY SETTING DIGITAL TUNNELS ON BANDRATED NETWORKS
PCT/EP2011/067644 WO2012049122A1 (en) 2010-10-12 2011-10-10 Method and system for dynamically establishing encrypted tunnels on constrained-band networks

Publications (2)

Publication Number Publication Date
EP2628327A1 EP2628327A1 (en) 2013-08-21
EP2628327B1 true EP2628327B1 (en) 2020-11-25

Family

ID=44310764

Family Applications (1)

Application Number Title Priority Date Filing Date
EP11769850.6A Active EP2628327B1 (en) 2010-10-12 2011-10-10 Method and system for dynamically establishing encrypted tunnels on constrained-band networks

Country Status (7)

Country Link
US (1) US20140169562A1 (en)
EP (1) EP2628327B1 (en)
DK (1) DK2628327T3 (en)
ES (1) ES2855116T3 (en)
FR (1) FR2965995B1 (en)
MY (1) MY167096A (en)
WO (1) WO2012049122A1 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9032206B2 (en) * 2013-02-25 2015-05-12 Surfeasy, Inc. Rule sets for client-applied encryption in communications networks
US9826039B2 (en) * 2014-02-04 2017-11-21 Honeywell International Inc. Configurable communication systems and methods for communication
US9866384B2 (en) * 2015-10-13 2018-01-09 Oacle International Corporation Media detection of encrypted tunneled data
US10355944B2 (en) * 2016-10-31 2019-07-16 Riverbed Technology, Inc. Minimally invasive monitoring of path quality
US10412051B2 (en) * 2017-02-08 2019-09-10 Honeywell International Inc. System and method for satellite communications link
US10530751B2 (en) 2017-03-06 2020-01-07 The Boeing Company Virtual transponder utilizing inband telemetry
US11394458B2 (en) 2017-03-06 2022-07-19 The Boeing Company Inband telemetry for a virtual transponder
US10419403B2 (en) * 2017-03-06 2019-09-17 The Boeing Company Virtual transponder utilizing inband commanding
CN109347538B (en) * 2018-09-27 2020-11-24 南京凯瑞得信息科技有限公司 Method for realizing VoIP communication based on narrow-band satellite channel
FR3089373B1 (en) * 2018-12-03 2020-11-27 Thales Sa Method and device for measuring a parameter representative of a transmission time in an encrypted communication tunnel
CN113660126B (en) * 2021-08-18 2024-04-12 奇安信科技集团股份有限公司 Networking file generation method, networking method and networking device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5434850A (en) * 1993-06-17 1995-07-18 Skydata Corporation Frame relay protocol-based multiplex switching scheme for satellite
FR2838008B1 (en) * 2002-04-02 2004-08-27 Cit Alcatel TELECOMMUNICATION SYSTEM, PARTICULARLY IP TYPE, AND EQUIPMENT FOR SUCH A SYSTEM
FR2849313B1 (en) * 2002-12-20 2005-03-11 Cit Alcatel DEVICE FOR MONITORING TREATMENTS ASSOCIATED WITH FLOWS WITHIN A COMMUNICATIONS NETWORK
US7360083B1 (en) * 2004-02-26 2008-04-15 Krishna Ragireddy Method and system for providing end-to-end security solutions to aid protocol acceleration over networks using selective layer encryption
US20100182947A1 (en) * 2008-11-26 2010-07-22 Je-Hong Jong Method and system of providing link adaptation for maximizing throughput in mobile satellite systems

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Also Published As

Publication number Publication date
FR2965995B1 (en) 2012-12-14
US20140169562A1 (en) 2014-06-19
DK2628327T3 (en) 2021-03-01
MY167096A (en) 2018-08-10
ES2855116T3 (en) 2021-09-23
WO2012049122A1 (en) 2012-04-19
EP2628327A1 (en) 2013-08-21
FR2965995A1 (en) 2012-04-13

Similar Documents

Publication Publication Date Title
EP2628327B1 (en) Method and system for dynamically establishing encrypted tunnels on constrained-band networks
Karapantazis et al. VoIP: A comprehensive survey on a promising technology
CA2423024C (en) Telecommunications system, especially ip-type, and equipment for such a system
US7961624B2 (en) System and method for providing bandwidth signaling across cryptographic boundaries in a network
US7310730B1 (en) Method and apparatus for communicating an encrypted broadcast to virtual private network receivers
US20050163316A1 (en) Method and apparatus for transporting encrypted media streams over a wide area network
US20070242696A1 (en) System and method for traversing a firewall with multimedia communication
US20030005284A1 (en) Method, system for transmitting data from a transmitter to a receiver and transmitter or receiver
EP2830360A1 (en) Method for the secure exchange of data over an ad-hoc network using an Xcast broadcast service; associated node
EP2469771B1 (en) Method and device for transmitting data between two secured Ethernet networks via a routed network
EP3370363B1 (en) Hybrid data transport solution in particular for satellite links
EP1401175A1 (en) Method and apparatus for intercepting control information related to quality of service
WO2011157704A2 (en) System and method for managing secure flows between a plurality of remote sites
EP2604013B1 (en) Method and architecture of system for opening channels on establishment of voip communication in p bgan clear mode, swiftbroadband and fleet broadband
FR3075531A1 (en) METHOD FOR DYNAMIC ALLOCATION OF RADIO RESOURCES, METHODS OF TRANSMITTING AND RECEIVING AN ENRICHED DATA STREAM
Fidler et al. Satellite—A new opportunity for broadband applications
Akujuobi et al. Introduction to broadband communication systems
KR20090027287A (en) Satellite communication system for providing both voice service and data service and method for providing security function
EP1432210A1 (en) System to control processes associated to flows inside a communication network
EP2338251B1 (en) Network security method and apparatus
EP1868349B1 (en) Device for establishing communication between local area networks by an exclusive switch and corresponding system for establishing communication as well as a data medium and a computer program
FR2950215A1 (en) METHOD AND SYSTEM FOR CONTROLLING THE DELIVERY OF A DATA FLOW OF A SERVICE CLASS THROUGH A MESH AND NUMBER NETWORK
FR3029040A1 (en) METHOD OF TRANSMITTING A PLURALITY OF DATA STREAMS FROM A PLURALITY OF TRANSMITTING STATIONS TO A PLURALITY OF RECEIVING STATIONS
FR2843519A1 (en) DIFFERENTIATED MANAGEMENT OF NON-UMTS TRAFFIC WITHIN A UMTS ACCESS NETWORK
FR2947123A1 (en) Data e.g. video stream, transmitting method for internet, involves forming packets from main data such that length values formed by each packet length corresponds to length values generated by coding, and transmitting packets to receiver

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20130416

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20170404

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20200610

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: THALES

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

Free format text: NOT ENGLISH

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1339713

Country of ref document: AT

Kind code of ref document: T

Effective date: 20201215

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602011069423

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

Free format text: LANGUAGE OF EP DOCUMENT: FRENCH

REG Reference to a national code

Ref country code: DK

Ref legal event code: T3

Effective date: 20210225

Ref country code: FI

Ref legal event code: FGE

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1339713

Country of ref document: AT

Kind code of ref document: T

Effective date: 20201125

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20201125

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210226

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210225

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210325

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210325

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210225

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602011069423

Country of ref document: DE

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2855116

Country of ref document: ES

Kind code of ref document: T3

Effective date: 20210923

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

26N No opposition filed

Effective date: 20210826

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210325

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20211031

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20211010

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20211031

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20211031

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20211031

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20211010

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20111010

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201125

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230516

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20230914

Year of fee payment: 13

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20230921

Year of fee payment: 13

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: ES

Payment date: 20231103

Year of fee payment: 13

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FI

Payment date: 20231011

Year of fee payment: 13

Ref country code: DK

Payment date: 20231016

Year of fee payment: 13

Ref country code: DE

Payment date: 20230919

Year of fee payment: 13